Council of Europe draft LLM guidelines: lifecycle privacy

On 12 May 2026, the Consultative Committee of the Council of Europe’s Convention 108 published draft Guidelines on Privacy and Data Protection in the context of LLM-based systems. They are best read as a structured warning: many familiar LLM and agentic AI design choices sit uncomfortably with long standing data protection principles, and controllers are expected to manage those tensions across the entire lifecycle of their systems.

Convention 108 is the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Together with its amending protocol (Convention 108+), it sets technology neutral rules on lawfulness, fairness, purpose limitation, data minimisation, transparency, security, data subject rights and transborder data flows, grounded in the right to privacy in Article 8 ECHR. The Guidelines explain how those principles apply to LLM based and agentic systems. They are addressed not only to model providers and deployers, but also to states, regulators, industry, civil society and end users, reflecting the distributed responsibilities across the LLM ecosystem. They also expressly supplement Convention 108+ and the Council of Europe’s new Framework Convention on AI, rather than replacing existing assessment tools such as data protection and broader human rights impact assessments.

The central message of the Guidelines is that LLM based systems should be viewed through a lifecycle lens. The Guidelines break the LLM ecosystem into five stages – from model creation and post training adaptation, through system integration and deployment, to end user interaction – and propose an IAMM methodology: Identify, Assess, Mitigate, Monitor.

The Guidelines also make a key distinction between model level and system level risk, and make clear that controllers cannot confine their analysis to one layer.

• Model level issues include web scale ingestion of personal data, memorisation and regurgitation of identifiable content, hallucinations producing inaccurate personal data and bias amplification.
• System level risks arise once models are wrapped in RAG pipelines, plug ins, tools, memory functions and agentic workflows, creating opaque data flows, cross context leakage and persistent profiling through “intention predictive” personalisation.

Beyond these familiar categories, the Guidelines emphasise emerging risks from multimodal inferencing and “intention predictive” systems – including highly granular behavioural prediction, persistent agentic assistants and what they describe as a shift from an attention economy to an “intention economy”, with corresponding autonomy and manipulation concerns.

Although much of the document maps tensions with data protection principles, there are moments where it takes a firmer, normative stance.

• On risk governance, the IAMM framework is clear that a risk assessment is not an end in itself and not a way of legitimising processing. Where risks cannot be adequately prevented or minimised, “the processing should not be initiated, or should be suspended, discontinued, substantially redesigned, or excluded from the intended use”. Risk assessment is presented as a continuous and iterative exercise across the lifecycle, rather than a one off impact assessment before launch.
• On security (Article 7 of Convention 108), controllers and processors must implement “appropriate security measures” that, in the LLM context, should extend to secure integration and authentication, robust access controls and compartmentalisation, monitoring and incident response, adversarial testing and red teaming, safeguards against prompt injection and manipulation attacks, and encryption and secure storage – all subject to continuous review as vulnerabilities evolve.
• Under Article 10 of Convention 108, lifecycle oriented impact assessments are expected to lead to concrete measures such as data filtering and minimisation, privacy enhancing technologies, secure integration and access management, monitoring and auditing, human oversight mechanisms, and safeguards against inferential profiling, manipulative processing and excessive behavioural prediction.
• For data subject rights (Article 9 of Convention 108), the Guidelines acknowledge that LLMs make access, rectification and erasure technically difficult, and respond by calling for additional mechanisms: practical rights exercise channels, enhanced traceability and documentation, clear allocation of responsibilities between actors, effective human oversight, limits on excessive profiling and meaningful complaint and redress routes.

On trade offs, the Guidelines explicitly state that where a balance between privacy and performance, or between data protection principles, would create a “significant risk to individuals’ rights and freedoms”, priority should be given to protecting those rights – even if that means limiting functionalities or refraining from particular processing or deployment contexts. This rights first stance is very much in line with the Council of Europe’s broader human rights mandate.

The value of the Guidelines lies less in providing definitive answers and more in systematically mapping the risks – including legal risks – that LLM and agentic AI practices pose in relation to established data protection principles. Because those principles are also at the core of GDPR style regimes, the Guidelines are a useful indicator of how regulators may expect organisations to approach LLM compliance: as a lifecycle wide governance commitment that applies data protection principles to the specific technical and operational realities of LLM based and agentic systems.